Weighing in at a hefty 3,000 words, it’s pretty long, even for me. It’s more than most people ever need to know about visual verification schemes. But hidden in there is a call to think about the problem you’re solving before relying on CAPTCHAs as a panacea. In some cases, outside of accessibility factors, its use is overkill. And in others, it may provide a dangerous false sense of security.

The new paper also gets into details the older version didn’t, and offers actual guidance at the end for solving the problem. The short version is as follows:

If you are a major site that doesn’t have a choice

…then it makes sense to have to use CAPTCHA, but you must allow other ways for real humans to access your service in a timely fashion.

If you are a low-volume site such as a blog

…don’t use CAPTCHA. Especially if it’s just to protect against posting spam comments. It’s inefficient, it’s a usability barrier for everyone, and it locks out more people than you think. Bayesian filtering is a Good Thing. I get dozens to hundreds of comment spams daily, and Spam Karma 2 for WordPress catches them all silently.

If you are a financial services site

…don’t use CAPTCHA-like tools for access control. New authentication systems are in use that randomize letter codes to correspond to a numeric keypad displayed on-screen. At best, the design falls into the dubious category of security through obscurity, which means it will be exploited when someone feels like it’s worthwhile. In the meantime, you’re blocking vision- and mobility-impaired users from basic tasks that would allow them to live unassisted. Until you figure it out, don’t take away those users’ autonomy for a short-term security benefit.

Have a look if you are using or considering CAPTCHAs for your site. And thanks to the Working Group, Al Gilman, Jon Gunderson, Janina Sajka, Marc-Antoine Garrigue, Dina Katabi, Kentarou Fukuda, Casey Chesnut, Sam Hocevar, Peter Krantz, Jason White and Viking At Large Charles McCathieNevile for their work on this paper and/or making access control more accessible.

2 responses to “CAPTCHA paper updated”

I think it is very good that that the W3C WG has created this document. It makes it a lot more easy for people who work with government web guidelines as there is now a third party that can be quoted instead of each country implementing their own recommendation.

An old article and still useful till now. I used CAPTCHA usualy at websites, now I start use CMS like Drupal and that was the reason to stop use CAPTCHA for me, because CMS contains some spam barier already.